In today’s digital age, it is often not a matter of “if” but “when” a data breach occurs. To avoid incurring severe penalties (and getting swept up with other loss such as reputational loss), organisations should ensure that its personnel are aware of the organisation’s ongoing obligations under the Privacy Act 1988 (Cth) (Privacy Act) and other applicable privacy laws and respond appropriately in accordance with the organisation’s data breach procedures. Organisations should also ensure that there is a strong privacy culture with appropriate resources deployed so that the organisation is prepared and ready when a data breach does occur. As privacy lawyers, our data breach response team is all too familiar with the panic and scramble that occurs with a data breach (whether suspected, potential or actual). In this post, we set out some of the key data breach procedures and processes for your organisation.
Keep Calm and Reach for Your Data Breach Response Plan
As the saying goes, you should approach a data breach like a snake bite – contain the threat, assess the damage (if any) and notify others. Above all else, stay calm!
If there is a suspected, actual or potential breach of data within the possession or control of your organisation (breach), the individual who is first made aware of the breach (response person) should ensure that he or she follows the processes set out in a data breach response plan (DBRP). If your organisation does not have a DBRP, then the response person should notify the relevant privacy representative(s) (this could include individuals in the IT department, legal representatives and privacy officers within your organisation familiar with the Privacy Act) and provide all relevant information to the privacy representative(s) about the breach that is sufficient for them to undertake risk assessments and conduct investigations about the severity of the breach. Your organisation should ensure that the roles and responsibilities are clearly delineated and that all steps taken from the detection of the breach onwards will be well documented.
Contain, Contain, Contain!
A breach occurs where there is (or there is a likelihood of) unauthorised access to or disclosure or loss of personal information that your organisation holds. You should ask yourself whether you are able to prevent the breach and make attempts to take action to contain and/or mitigate the breach by promptly limiting any unauthorised access and/or disclosure of the personal information. Other steps may include taking preventative steps to prevent additional breach or system compromise.
Hang On, Lets Assess How Serious This Is
The privacy representatives must consider whether there is a reasonable likelihood that a data breach may have occurred and that examine whether the effects of the potential data breach may be serious for at least one or more data subjects (serious harm). To determine if it is likely that the breach caused or is likely to result in serious harm, your organisation should initiate an investigation to assess and evaluate the extent of the breach within 30 days of the breach to determine if the breach is an eligible data breach subject to notification. Such an assessment should be reasonable and expeditious and should consider the types of harm that the breach may cause, strength of any security measures taken and the individuals who obtained or could obtain the personal information. If remedial action is conducted following an assessment of the breach and the remedial action results in a breach that is not likely to cause serious harm as determined by your organisation, the breach is rendered a non-eligible data breach and notification is not required.
Notification: Who and How?
If the breach is an eligible data breach, your organisation should ensure that any notification obligations under applicable insurance and contractual documentation are complied with. This involves the reviewing of all relevant contracts and any insurance policy wording. Your organisation should prepare and prominently publish a statement to all affected individuals or a statement to only individuals at likely risk of serious harm or a notification statement bringing it to the attention of all individuals at likely risk of serious harm. You must also notify the Office of the Australian Information Commissioner and/or other relevant authorities and comply with any directives from such agencies including to disclose any breach assessments or notification statements.
Should Have, Could Have, Would Have
Following the resolution of a data breach, your organisation should review its breach detection and assessment methods and implement technical and legal prevention measures. These include to enhance existing cyber security information assurance measures, to foster a culture of privacy awareness, prevention and detection, to reassess cyber insurance coverage and any data breach response procedures as well as to provide additional training to relevant data breach response personnel or reconfigure any data security resources.
Please note that this article relates only to the Privacy Act 1988 (Cth) and that there may be other health privacy regulations or jurisdictional privacy laws that are applicable to data that your organisation holds. Contact us today to find out more about your organisation’s request for a legal assessment of your organisation’s privacy com